This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
An Efficient TCAM-Based Implementation of Multipattern Matching Using Covered State Encoding
February 2012 (vol. 61 no. 2)
pp. 213-221
SangKyun Yun, Yonsei University, Wonju
This paper proposes a state encoding scheme called a covered state encoding for the efficient TCAM-based implementation of the Aho-Corasick multipattern matching algorithm, which is widely used in network intrusion detection systems. Since the information of failure transitions of the Aho-Corasick Nondeterministic Finite Automata (NFA) is implicitly captured in the covered state encoding and the failure transition entries can be completely eliminated, the Aho-Corasick NFA can be implemented on a TCAM with smaller number of entries than other schemes. We also propose constructing the modified Aho-Corasick NFA for multicharacter processing, which can be implemented on a TCAM using the covered state encoding. The implementation of modified Aho-Corasick NFA using the covered state encoding is also superior to other schemes in both TCAM memory requirement and lookup speed.

[1] M. Alicherry, M. Muthuprasanna, and V. Kumar, "High Speed Pattern Matching for Network IDS/IPS," Proc. 14th IEEE Int'l Conf. Network Protocols (ICNP), vol. 11, pp. 187-196, 2006.
[2] M. Alicherry and M. Muthuprasanna, "Method and System for Multi-Character Multi-Pattern Pattern Matching," US Patent Application No. 20080046423, Feb. 2008.
[3] M. Gould, R. Barrie, D. Williams, and N. de Jong, "Apparatus and Method for Memory Efficient, Programmable, Pattern Matching Finite State Machine Hardware," US Patent No. 7082044 B2, July 2006.
[4] M. Gao, K. Zhang, and J. Lu, "Efficient Packet Matching for Gigabit Network Intrusion Detection Using TCAMs," Proc. 20th Int'l Conf. Advanced Information Networking and Applications (AINA), 2006.
[5] F. Yu, R. Katz, and T. Lakshman, "Gigabit Rate Packet Pattern-Matching Using TCAM," Proc. 12th IEEE Int'l Conf. Network Protocols (ICNP '04), pp. 174-183, 2004.
[6] Y. Weinsberg, S. Tzur-David, D. Dolev, and T. Anker, "High Performance String Matching Algorithm for a Network Intrusion Prevention System (NIPS)," Proc. IEEE High Performance Switching and Routing (HPSR), pp. 147-154, 2006.
[7] S. Dharmapurikar, M. Attig, and J. Lockwood, "Deep Packet Inspection Using Parallel Bloom Filters," IEEE Micro, vol. 24, no. 1, pp. 52-61, Jan./Feb. 2004.
[8] N. Tuck, T. Sherwood, B. Calder, and G. Varghese, "Deterministic Memory-Efficient String Matching Algorithms for Intrusion Detection," Proc. IEEE INFOCOM, vol. 4, pp. 2628-2639, 2004.
[9] L. Tan, B. Brotherton, and T. Sherwood, "Bit-Split String-Matching Engines for Intrusion Detection and Prevention," ACM Trans. Architecture and Code Optimization, vol. 3, no. 1, pp. 3-34, 2006.
[10] J. van Lunteren, "High-Performance Pattern-Matching for Intrusion Detection," Proc. IEEE INFOCOM, vol. 4, 2006.
[11] A. Bremler-Barr, D. Hay, and Y. Koral, "CompactDFA: Generic State Machine Compression for Scalable Pattern Matching," Proc. IEEE INFOCOM, 2010.
[12] C. Clark and D. Schimmel, "Scalable Pattern Matching for High Speed Networks," Proc. 12th Ann. IEEE Symp. Field-Programmable Custom Computing Machines (FCCM), 2004.
[13] B. Hutchings, R. Franklin, and D. Carver, "Assisting Network Intrusion Detection with Reconfigurable Hardware," Proc. 10th Ann. IEEE Symp. Field-Programmable Custom Computing Machines (FCCM), pp. 111-120, 2002.
[14] I. Sourdis and D. Pnevmatikatos, "Pre-Decoded Cams for Efficient and High-Speed NIDS Pattern Matching," Proc. 12th Ann. IEEE Symp. Field-Programmable Custom Computing Machines (FCCM), pp. 258-267, 2004.
[15] Y.H. Cho, S. Navab, and W.H. Mangione-Smith, "Specialized Hardware for Deep Network Packet Filtering," Proc. 12th Int'l Conf. Field-Programmable Logic and Applications (FPL), pp. 337-357, 2002.
[16] A. Aho and M. Corasick, "Efficient String Matching: An Aid to Bibliographic Search," Comm. ACM, vol. 18, no. 6, pp. 333-340, 1975.
[17] D.E. Knuth, J. James, H. Morris, and V.R. Pratt, "Fast Pattern Matching in Strings," SIAM J. Computing, vol. 6, no. 2, pp. 323-350, 1977.
[18] SNORT Official Web Site, http:/www.snort.org, 2011.
[19] ClamAV Official Web Site, http:/www.clamav.net, 2011.

Index Terms:
String matching, multipattern matching, TCAM, intrusion detection system, Aho-Corasick algorithm.
Citation:
SangKyun Yun, "An Efficient TCAM-Based Implementation of Multipattern Matching Using Covered State Encoding," IEEE Transactions on Computers, vol. 61, no. 2, pp. 213-221, Feb. 2012, doi:10.1109/TC.2010.273
Usage of this product signifies your acceptance of the Terms of Use.